Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14/08/2024, 10:14
Static task
static1
Behavioral task
behavioral1
Sample
a4045703e0b9a134174c1c1ced434530N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
a4045703e0b9a134174c1c1ced434530N.exe
Resource
win10v2004-20240802-en
General
-
Target
a4045703e0b9a134174c1c1ced434530N.exe
-
Size
77KB
-
MD5
a4045703e0b9a134174c1c1ced434530
-
SHA1
a80562871a961cb6756c570e9fc5850cf6a61ca2
-
SHA256
a1573a07561f46923c863dc86574c95d198f114baeae431a59b35d1185d26798
-
SHA512
05c5afa696d01cb1f93b45f4ddd583b3e51366d4fb33505b243280c030ae46dcf637b38a34564ab1a9294c02d07422b98b09dd31095bef0fb83a053f3c2f3dfc
-
SSDEEP
1536:ekeK40T/mx7y9v7Z/Z2V/GSAFRfBhpVoK0:FD40Dmx7y9DZ/Z2hGVkK0
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" a4045703e0b9a134174c1c1ced434530N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," SPOOLSV.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" SPOOLSV.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," a4045703e0b9a134174c1c1ced434530N.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SPOOLSV.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SVCHOST.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SVCHOST.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" a4045703e0b9a134174c1c1ced434530N.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SPOOLSV.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SVCHOST.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SVCHOST.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" a4045703e0b9a134174c1c1ced434530N.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation a4045703e0b9a134174c1c1ced434530N.exe -
Executes dropped EXE 12 IoCs
pid Process 4072 SVCHOST.EXE 920 SVCHOST.EXE 3084 SVCHOST.EXE 1628 SVCHOST.EXE 2444 SVCHOST.EXE 2096 SPOOLSV.EXE 4660 SVCHOST.EXE 4540 SVCHOST.EXE 4508 SPOOLSV.EXE 4256 SPOOLSV.EXE 4208 SVCHOST.EXE 3844 SPOOLSV.EXE -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\Recycled\desktop.ini a4045703e0b9a134174c1c1ced434530N.exe File opened for modification F:\Recycled\desktop.ini a4045703e0b9a134174c1c1ced434530N.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: SVCHOST.EXE File opened (read-only) \??\E: SPOOLSV.EXE File opened (read-only) \??\N: SPOOLSV.EXE File opened (read-only) \??\L: SPOOLSV.EXE File opened (read-only) \??\U: a4045703e0b9a134174c1c1ced434530N.exe File opened (read-only) \??\Q: SVCHOST.EXE File opened (read-only) \??\E: SVCHOST.EXE File opened (read-only) \??\S: SVCHOST.EXE File opened (read-only) \??\T: SVCHOST.EXE File opened (read-only) \??\I: a4045703e0b9a134174c1c1ced434530N.exe File opened (read-only) \??\O: a4045703e0b9a134174c1c1ced434530N.exe File opened (read-only) \??\H: SVCHOST.EXE File opened (read-only) \??\T: SVCHOST.EXE File opened (read-only) \??\H: SVCHOST.EXE File opened (read-only) \??\M: a4045703e0b9a134174c1c1ced434530N.exe File opened (read-only) \??\U: SVCHOST.EXE File opened (read-only) \??\G: SVCHOST.EXE File opened (read-only) \??\N: SVCHOST.EXE File opened (read-only) \??\G: SPOOLSV.EXE File opened (read-only) \??\J: SVCHOST.EXE File opened (read-only) \??\N: SVCHOST.EXE File opened (read-only) \??\V: SVCHOST.EXE File opened (read-only) \??\J: SPOOLSV.EXE File opened (read-only) \??\P: SPOOLSV.EXE File opened (read-only) \??\V: SPOOLSV.EXE File opened (read-only) \??\N: a4045703e0b9a134174c1c1ced434530N.exe File opened (read-only) \??\P: a4045703e0b9a134174c1c1ced434530N.exe File opened (read-only) \??\T: a4045703e0b9a134174c1c1ced434530N.exe File opened (read-only) \??\L: SVCHOST.EXE File opened (read-only) \??\P: SVCHOST.EXE File opened (read-only) \??\Y: a4045703e0b9a134174c1c1ced434530N.exe File opened (read-only) \??\L: SVCHOST.EXE File opened (read-only) \??\Q: SVCHOST.EXE File opened (read-only) \??\W: SPOOLSV.EXE File opened (read-only) \??\Z: SPOOLSV.EXE File opened (read-only) \??\Q: a4045703e0b9a134174c1c1ced434530N.exe File opened (read-only) \??\X: SVCHOST.EXE File opened (read-only) \??\I: SPOOLSV.EXE File opened (read-only) \??\O: SPOOLSV.EXE File opened (read-only) \??\X: a4045703e0b9a134174c1c1ced434530N.exe File opened (read-only) \??\W: SVCHOST.EXE File opened (read-only) \??\X: SPOOLSV.EXE File opened (read-only) \??\Z: SVCHOST.EXE File opened (read-only) \??\T: SPOOLSV.EXE File opened (read-only) \??\S: a4045703e0b9a134174c1c1ced434530N.exe File opened (read-only) \??\I: SVCHOST.EXE File opened (read-only) \??\O: SVCHOST.EXE File opened (read-only) \??\R: SVCHOST.EXE File opened (read-only) \??\V: SVCHOST.EXE File opened (read-only) \??\O: SVCHOST.EXE File opened (read-only) \??\Y: SVCHOST.EXE File opened (read-only) \??\H: SPOOLSV.EXE File opened (read-only) \??\W: a4045703e0b9a134174c1c1ced434530N.exe File opened (read-only) \??\G: SVCHOST.EXE File opened (read-only) \??\M: SVCHOST.EXE File opened (read-only) \??\W: SVCHOST.EXE File opened (read-only) \??\X: SVCHOST.EXE File opened (read-only) \??\J: SVCHOST.EXE File opened (read-only) \??\Q: SPOOLSV.EXE File opened (read-only) \??\R: SPOOLSV.EXE File opened (read-only) \??\G: a4045703e0b9a134174c1c1ced434530N.exe File opened (read-only) \??\R: a4045703e0b9a134174c1c1ced434530N.exe File opened (read-only) \??\M: SVCHOST.EXE File opened (read-only) \??\S: SPOOLSV.EXE -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\Root\VFS\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\docicon.exe a4045703e0b9a134174c1c1ced434530N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a4045703e0b9a134174c1c1ced434530N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SPOOLSV.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SPOOLSV.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language userinit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SPOOLSV.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SPOOLSV.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Explorer.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Modifies registry class 29 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" a4045703e0b9a134174c1c1ced434530N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" SPOOLSV.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\*\InfoTip = "prop:Type;Write;Size" SPOOLSV.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\CONFIG\COMMAND a4045703e0b9a134174c1c1ced434530N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\*\InfoTip = "prop:Type;Write;Size" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\*\QuickTip = "prop:Type;Size" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" SPOOLSV.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\INSTALL\COMMAND a4045703e0b9a134174c1c1ced434530N.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\INSTALL a4045703e0b9a134174c1c1ced434530N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\*\TileInfo = "prop:Type;Size" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ SPOOLSV.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\*\InfoTip = "prop:Type;Write;Size" a4045703e0b9a134174c1c1ced434530N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\*\TileInfo = "prop:Type;Size" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\*\QuickTip = "prop:Type;Size" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ a4045703e0b9a134174c1c1ced434530N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ SVCHOST.EXE Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings a4045703e0b9a134174c1c1ced434530N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" a4045703e0b9a134174c1c1ced434530N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\*\QuickTip = "prop:Type;Size" a4045703e0b9a134174c1c1ced434530N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\*\InfoTip = "prop:Type;Write;Size" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\*\TileInfo = "prop:Type;Size" SPOOLSV.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\CONFIG a4045703e0b9a134174c1c1ced434530N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\*\TileInfo = "prop:Type;Size" a4045703e0b9a134174c1c1ced434530N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\*\QuickTip = "prop:Type;Size" SPOOLSV.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3312 WINWORD.EXE 3312 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2096 SPOOLSV.EXE 2096 SPOOLSV.EXE 2096 SPOOLSV.EXE 2096 SPOOLSV.EXE 2096 SPOOLSV.EXE 2096 SPOOLSV.EXE 2096 SPOOLSV.EXE 2096 SPOOLSV.EXE 2096 SPOOLSV.EXE 2096 SPOOLSV.EXE 2096 SPOOLSV.EXE 2096 SPOOLSV.EXE 3084 SVCHOST.EXE 3084 SVCHOST.EXE 3084 SVCHOST.EXE 3084 SVCHOST.EXE 3084 SVCHOST.EXE 3084 SVCHOST.EXE 3084 SVCHOST.EXE 3084 SVCHOST.EXE 3084 SVCHOST.EXE 3084 SVCHOST.EXE 3084 SVCHOST.EXE 3084 SVCHOST.EXE 4072 SVCHOST.EXE 4072 SVCHOST.EXE 4072 SVCHOST.EXE 4072 SVCHOST.EXE 4072 SVCHOST.EXE 4072 SVCHOST.EXE 4072 SVCHOST.EXE 4072 SVCHOST.EXE 4072 SVCHOST.EXE 4072 SVCHOST.EXE 4072 SVCHOST.EXE 4072 SVCHOST.EXE 4072 SVCHOST.EXE 4072 SVCHOST.EXE 4072 SVCHOST.EXE 4072 SVCHOST.EXE 4072 SVCHOST.EXE 4072 SVCHOST.EXE 4072 SVCHOST.EXE 4072 SVCHOST.EXE 4072 SVCHOST.EXE 4072 SVCHOST.EXE 4072 SVCHOST.EXE 4072 SVCHOST.EXE 3084 SVCHOST.EXE 3084 SVCHOST.EXE 3376 a4045703e0b9a134174c1c1ced434530N.exe 3376 a4045703e0b9a134174c1c1ced434530N.exe 3084 SVCHOST.EXE 3084 SVCHOST.EXE 3376 a4045703e0b9a134174c1c1ced434530N.exe 3376 a4045703e0b9a134174c1c1ced434530N.exe 3084 SVCHOST.EXE 3084 SVCHOST.EXE 3376 a4045703e0b9a134174c1c1ced434530N.exe 3376 a4045703e0b9a134174c1c1ced434530N.exe 3084 SVCHOST.EXE 3084 SVCHOST.EXE 3376 a4045703e0b9a134174c1c1ced434530N.exe 3376 a4045703e0b9a134174c1c1ced434530N.exe -
Suspicious use of SetWindowsHookEx 20 IoCs
pid Process 3376 a4045703e0b9a134174c1c1ced434530N.exe 4072 SVCHOST.EXE 920 SVCHOST.EXE 3084 SVCHOST.EXE 1628 SVCHOST.EXE 2444 SVCHOST.EXE 2096 SPOOLSV.EXE 4660 SVCHOST.EXE 4540 SVCHOST.EXE 4508 SPOOLSV.EXE 4256 SPOOLSV.EXE 4208 SVCHOST.EXE 3844 SPOOLSV.EXE 3312 WINWORD.EXE 3312 WINWORD.EXE 3312 WINWORD.EXE 3312 WINWORD.EXE 3312 WINWORD.EXE 3312 WINWORD.EXE 3312 WINWORD.EXE -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 3376 wrote to memory of 4072 3376 a4045703e0b9a134174c1c1ced434530N.exe 84 PID 3376 wrote to memory of 4072 3376 a4045703e0b9a134174c1c1ced434530N.exe 84 PID 3376 wrote to memory of 4072 3376 a4045703e0b9a134174c1c1ced434530N.exe 84 PID 4072 wrote to memory of 920 4072 SVCHOST.EXE 85 PID 4072 wrote to memory of 920 4072 SVCHOST.EXE 85 PID 4072 wrote to memory of 920 4072 SVCHOST.EXE 85 PID 4072 wrote to memory of 3084 4072 SVCHOST.EXE 86 PID 4072 wrote to memory of 3084 4072 SVCHOST.EXE 86 PID 4072 wrote to memory of 3084 4072 SVCHOST.EXE 86 PID 3084 wrote to memory of 1628 3084 SVCHOST.EXE 87 PID 3084 wrote to memory of 1628 3084 SVCHOST.EXE 87 PID 3084 wrote to memory of 1628 3084 SVCHOST.EXE 87 PID 3084 wrote to memory of 2444 3084 SVCHOST.EXE 89 PID 3084 wrote to memory of 2444 3084 SVCHOST.EXE 89 PID 3084 wrote to memory of 2444 3084 SVCHOST.EXE 89 PID 3084 wrote to memory of 2096 3084 SVCHOST.EXE 91 PID 3084 wrote to memory of 2096 3084 SVCHOST.EXE 91 PID 3084 wrote to memory of 2096 3084 SVCHOST.EXE 91 PID 2096 wrote to memory of 4660 2096 SPOOLSV.EXE 92 PID 2096 wrote to memory of 4660 2096 SPOOLSV.EXE 92 PID 2096 wrote to memory of 4660 2096 SPOOLSV.EXE 92 PID 2096 wrote to memory of 4540 2096 SPOOLSV.EXE 93 PID 2096 wrote to memory of 4540 2096 SPOOLSV.EXE 93 PID 2096 wrote to memory of 4540 2096 SPOOLSV.EXE 93 PID 2096 wrote to memory of 4508 2096 SPOOLSV.EXE 95 PID 2096 wrote to memory of 4508 2096 SPOOLSV.EXE 95 PID 2096 wrote to memory of 4508 2096 SPOOLSV.EXE 95 PID 4072 wrote to memory of 4256 4072 SVCHOST.EXE 96 PID 4072 wrote to memory of 4256 4072 SVCHOST.EXE 96 PID 4072 wrote to memory of 4256 4072 SVCHOST.EXE 96 PID 3376 wrote to memory of 4208 3376 a4045703e0b9a134174c1c1ced434530N.exe 97 PID 3376 wrote to memory of 4208 3376 a4045703e0b9a134174c1c1ced434530N.exe 97 PID 3376 wrote to memory of 4208 3376 a4045703e0b9a134174c1c1ced434530N.exe 97 PID 4072 wrote to memory of 3328 4072 SVCHOST.EXE 98 PID 4072 wrote to memory of 3328 4072 SVCHOST.EXE 98 PID 4072 wrote to memory of 3328 4072 SVCHOST.EXE 98 PID 3376 wrote to memory of 3844 3376 a4045703e0b9a134174c1c1ced434530N.exe 99 PID 3376 wrote to memory of 3844 3376 a4045703e0b9a134174c1c1ced434530N.exe 99 PID 3376 wrote to memory of 3844 3376 a4045703e0b9a134174c1c1ced434530N.exe 99 PID 3328 wrote to memory of 3592 3328 userinit.exe 100 PID 3328 wrote to memory of 3592 3328 userinit.exe 100 PID 3328 wrote to memory of 3592 3328 userinit.exe 100 PID 3376 wrote to memory of 3312 3376 a4045703e0b9a134174c1c1ced434530N.exe 102 PID 3376 wrote to memory of 3312 3376 a4045703e0b9a134174c1c1ced434530N.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\a4045703e0b9a134174c1c1ced434530N.exe"C:\Users\Admin\AppData\Local\Temp\a4045703e0b9a134174c1c1ced434530N.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:920
-
-
F:\recycled\SVCHOST.EXEF:\recycled\SVCHOST.EXE :agent3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3084 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1628
-
-
F:\recycled\SVCHOST.EXEF:\recycled\SVCHOST.EXE :agent4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2444
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4660
-
-
F:\recycled\SVCHOST.EXEF:\recycled\SVCHOST.EXE :agent5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4540
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4508
-
-
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4256
-
-
C:\Windows\SysWOW64\userinit.exeC:\Windows\system32\userinit.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3328 -
C:\Windows\SysWOW64\Explorer.exeExplorer.exe "C:\recycled\SVCHOST.exe"4⤵
- System Location Discovery: System Language Discovery
PID:3592
-
-
-
-
F:\recycled\SVCHOST.EXEF:\recycled\SVCHOST.EXE :agent2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4208
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3844
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\a4045703e0b9a134174c1c1ced434530N.doc" /o ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3312
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:4592
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
77KB
MD567ceb7e39edea04e82bfc6d93da87a7a
SHA14533753acc1efc6869133590386c4766581c9dad
SHA2567b73ddd698d25a4fb9c894e6f81078bf1ea8d7114137174a07594c7ff9e5a995
SHA5127f81b5cd41c02f2fbb4412e655bb6873df877e3419938e40d66b21acd111b440800040105f8ac283b3b94ece4b3be9b009a17121d9397554dfe57990d4263f12
-
Filesize
77KB
MD5af46ea7aa5188b72ed5c1becb73a7ce1
SHA1266ebce9bebcba7aa4979c550a27002f532eb26e
SHA2568349579280e245e66513b8b86628e755b95d78859ecf6ffb34edeeb799084da2
SHA51291ad4a82c89dd0738d7ea2eb8957e4cfd99b86be220e01c9b3ca385aac146c86511f761d9d2b0475590f9d521e7e3fce57685a229118473b80e71e49fd7b96a4
-
Filesize
65B
MD5ad0b0b4416f06af436328a3c12dc491b
SHA1743c7ad130780de78ccbf75aa6f84298720ad3fa
SHA25623521de51ca1db2bc7b18e41de7693542235284667bf85f6c31902547a947416
SHA512884cd0cae3b31a594f387dae94fc1e0aacb4fd833f8a3368bdec7de0f9f3dc44337c7318895d9549aad579f95de71ff45e1618e75065a04c7894ad1d0d0eac56
-
Filesize
1KB
MD50269b6347e473980c5378044ac67aa1f
SHA1c3334de50e320ad8bce8398acff95c363d039245
SHA25668f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2
SHA512e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize2KB
MD53fd06adbf5a8ec69b1a13f43897c9676
SHA1c75f4df8db6fceaf393841088b59d2861a413347
SHA2562cf2cf35c741af3ac22816355fb1868c83636ed1f14d4a29ff2c0a087e112aa0
SHA5123a7d6142a03ab824d332a1d9f60e6998c6ec8fdd8a3eeb63789f866f8a7022633583b1a35957bdd4646fff031978114ef0aa23a3849e497522b560ae1c96eb05
-
Filesize
2B
MD52b9d4fa85c8e82132bde46b143040142
SHA1a02431cf7c501a5b368c91e41283419d8fa9fb03
SHA2564658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142
SHA512c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be
-
Filesize
77KB
MD57f45679ac099db366907493c01f85d61
SHA15da82af44292bb4376fe7c3b6f1c8878e5759bf8
SHA2560c222d36a99c76dd72371f876a41a75d9c9b5284f77be8b64b1d90cd2c5830e2
SHA5125d5a4806d54b2ad4e31634174cd2209ae2a4cf21e23a11013ad1dff60079c0c29e198136c2562d19471ea0f315549bdc4ab9245ddce41198c80e870a76f27ad9